|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1. SP1
|Issue||New Replica appears to attach but then internal replication error, cannot replicate, fails with ERROR: duplicate key value violates unique constraint "ak_ims_principal_isrcid_uid" |
ReplicationRunnable.logOrThrowBeforeReInit(168) | cisrsa01a.caci.com,,,,database connection failure: PreparedStatementCallback; SQL ; FATAL: terminating connection due to administrator command; nested exception is org.postgresql.util.PSQLException: FATAL: terminating connection due to administrator command
pm2-ace03.caci.com,,,,failed to apply change:
[stmt type] U
[new] (8ef768d2bac90e0a043397ada3b02b94,1423516932791,25,,,,,,,,,jguillette,,,,,,,,f,"2015-02-09 21:22:12.791",,,,,,0101000,,"\\4b\\91\\14\\b5\\2f\\3a\\08\\46\\82\\75\\03\\39\\58\\8f\\48
@@@2015-02-09 16:23:00,266 FATAL [ApplyR2P-6fa79c0be9c80e0a0801128a9e2d9533 Last Applied Chgset Id: 52214 Last Received (from replica) Chgset Id: 52215 Next Chgset Id To Apply: 52215 Curr Repl Txn Id: 616220 Repl Chg Id: 159526 Hostname: cisrsa01a.caci.com]
ServiceCallable.runMainLoop(86) | 006-pm2-ace03.caci.com,,,,Unhandled exception during main loop. Shutting down this service thread.
com.rsa.replication.UnexpectedApply2PException: unable to apply replica changes
Caused by: org.postgresql.util.PSQLException: ERROR: duplicate key value violates unique constraint "ak_ims_principal_isrcid_uid"
Detail: Key (loginuid, identity_src_id)=(jguillette, 1c166563bac90e0a016d3f1617e2afe4) already exists.
Where: SQL statement "update rsa_rep.IMS_PRINCIPAL_DATA
Removed replica from Primary OC, factory reset HW replica, generated new replica package but it failed to attach again, same error
Second Symptom: Authentication Failures with Principal Not Found - See KB 000029958
|Cause||Something happened to user in LDAP external Identity Source*, and that user (in example above UserID name is jguillette) either user moved or was placed in a group that is also within the scope of the Identity source, so that this user appears now to be a duplicate. secondary symptoms include;|
1. unable to edit this user in Security Console, duplicate user error
2. Cleanup does not fix this situation
* If your AD users are deleted and re-created during their move, they would be given a new Object GUID, which would prevent Auth manager from finding their original location in AD, and block a clean-up because there is now an apparent duplicate UserID or SamAccountName.
The RSA Authentication Manager external LDAP Identity Sources find and manage Active Directory Users through a couple of things (See AM 8.1 Admin Guide - search 'Distinguished Name');
You can verify this by looking in AD at the User, Properties, Attribute Editor Tab. Check the DN and Object GUID before and after any move.
If both changed, Authentication Manager will not be able to resolve the user, but also could not clean up because the SamAccountName still exists.
|Resolution||1. Modify the external LDAP Identity Source user filter under the MAP tab to filter out this user, jguillette, by adding a NOT jguillette samaccountname|
to the default, current user search filter of
So that you have
2. Run a Cleanup job on the Security Console - Setup - Identity sources
3. Remove the NOT jguillette samaccountname part of the user search filter, and change back to your default, e.g. (objectClass=User)(objectcategory=person)
|Notes||old versions of this error threw "The specified ID is already in use by an unresolvable user within this realm" error|